Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 556
Alerts This Week
Warning Icon 1 556

Ubuntu 23.10 USN-6578-1 moderate: dotnet X.509 issues and DoS

ubuntu
Calendar Grey January 11, 2024
Dist Ubuntu Esm H88
Multiple security issues addressed for dotnet CLI apps across different Ubuntu releases. Update promptly for improved security.
Several security issues were fixed in dotnet6, dotnet7, and dotnet8.

Summary

Several security issues were fixed in dotnet6, dotnet7, and dotnet8.

Software Description:

- dotnet6: dotNET CLI tools and runtime

- dotnet7: dotNET CLI tools and runtime

- dotnet8: dotNET CLI tools and runtime

Details:

Vishal Mishra and Anita Gaud discovered that .NET did not properly

validate X.509 certificates with malformed signatures. An attacker

could possibly use this issue to bypass an application's typical

authentication logic. (CVE-2024-0057)

Morgan Brown discovered that .NET did not properly handle requests from

unauthenticated clients. An attacker could possibly use this issue to

cause a denial of service. (CVE-2024-21319)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
   aspnetcore-runtime-6.0          6.0.126-0ubuntu1~23.10.1
   aspnetcore-runtime-7.0          7.0.115-0ubuntu1~23.10.1
   aspnetcore-runtime-8.0          8.0.1-0ubuntu1~23.10.1
   dotnet-host                     6.0.126-0ubuntu1~23.10.1
   dotnet-host-7.0                 7.0.115-0ubuntu1~23.10.1
   dotnet-host-8.0                 8.0.1-0ubuntu1~23.10.1
   dotnet-hostfxr-6.0              6.0.126-0ubuntu1~23.10.1
   dotnet-hostfxr-7.0              7.0.115-0ubuntu1~23.10.1
   dotnet-hostfxr-8.0              8.0.1-0ubuntu1~23.10.1
   dotnet-runtime-6.0              6.0.126-0ubuntu1~23.10.1
   dotnet-runtime-7.0              7.0.115-0ubuntu1~23.10.1
   dotnet-runtime-8.0              8.0.1-0ubuntu1~23.10.1
   dotnet-sdk-6.0                  6.0.126-0ubuntu1~23.10.1
   dotnet-sdk-7.0                  7.0.115-0ubuntu1~23.10.1
   dotnet-sdk-8.0                  8.0.101-0ubuntu1~23.10.1
   dotnet6                         6.0.126-0ubuntu1~23.10.1
   dotnet7                         7.0.115-0ubuntu1~23.10.1
   dotnet8                         8.0.101-8.0.1-0ubuntu1~23.10.1

Ubuntu 23.04:
   aspnetcore-runtime-6.0          6.0.126-0ubuntu1~23.04.1
   aspnetcore-runtime-7.0          7.0.115-0ubuntu1~23.04.1
   dotnet-host                     6.0.126-0ubuntu1~23.04.1
   dotnet-host-7.0                 7.0.115-0ubuntu1~23.04.1
   dotnet-hostfxr-6.0              6.0.126-0ubuntu1~23.04.1
   dotnet-hostfxr-7.0              7.0.115-0ubuntu1~23.04.1
   dotnet-runtime-6.0              6.0.126-0ubuntu1~23.04.1
   dotnet-runtime-7.0              7.0.115-0ubuntu1~23.04.1
   dotnet-sdk-6.0                  6.0.126-0ubuntu1~23.04.1
   dotnet-sdk-7.0                  7.0.115-0ubuntu1~23.04.1
   dotnet6                         6.0.126-0ubuntu1~23.04.1
   dotnet7                         7.0.115-0ubuntu1~23.04.1

Ubuntu 22.04 LTS:
   aspnetcore-runtime-6.0          6.0.126-0ubuntu1~22.04.1
   aspnetcore-runtime-7.0          7.0.115-0ubuntu1~22.04.1
   dotnet-host                     6.0.126-0ubuntu1~22.04.1
   dotnet-host-7.0                 7.0.115-0ubuntu1~22.04.1
   dotnet-hostfxr-6.0              6.0.126-0ubuntu1~22.04.1
   dotnet-hostfxr-7.0              7.0.115-0ubuntu1~22.04.1
   dotnet-runtime-6.0              6.0.126-0ubuntu1~22.04.1
   dotnet-runtime-7.0              7.0.115-0ubuntu1~22.04.1
   dotnet-sdk-6.0                  6.0.126-0ubuntu1~22.04.1
   dotnet-sdk-7.0                  7.0.115-0ubuntu1~22.04.1
   dotnet6                         6.0.126-0ubuntu1~22.04.1
   dotnet7                         7.0.115-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References

  https://ubuntu.com/security/notices/USN-6578-1

  CVE-2024-0057, CVE-2024-21319

Ubuntu Security Notice USN-6578-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.